Annoying Pop-up

[Jan Il]

Hi Gary

You don't mention the version of Windows you are using, which really is a
must when asking for help in the newsgroups, but, try the following as it
may apply
to your OS and see if it helps:

Dealing with Unwanted Spyware and Parasites:
http://mvps.org/winhelp2002/unwanted.htm
Be aware, your Anti-Virus won't detect all types of warez, Trojans, malware,
worms, etc., and neither can other adware or spyware related programs such
as AdAware and SpyBot. They don't have the proper definitions. They must
also be run in Safe Mode with Hidden Files enabled in order to fully scan
all files. Even if you have run such programs and nothing shows up, it does
not mean your system is clean. It takes a series of programs to fully clean
your machine. *Some very aggressive and damaging variants of malware can
replicate themselves repeatedly, or mutate, if not removed properly.*

Also, download and install HiJackThis. This is one of the most important
steps. Follow all instructions carefully. This program should be run in
Normal mode.

How to download and install HiJackThis: Win 98-XP
http://www.download.com/HijackThis/3000-8022_4-10227353.html

Please…. DO NOT post your log HiJackThis log to this newsgroup. DO NOT
delete anything from the list yourself unless you are an experienced user of
this program. It is important that you post your log on one of the
HiJackThis Support Forums below and allow the experts there to analyze it
for you:
AumHa HiJackThis Forum
http://forum.aumha.org/viewforum.p
(http://www.dslreports.com/forum/security)
to allow the experts there to evaluate your log and advise you of any
necessary steps to clean your system.
(Note: You will have to Register before posting on these Forums.
http://aumha.net/profile.php?mode=register
Please follow all pre- posting instructions below carefully to avoid having
your log deleted or ignored.
http://forum.aumha.org/viewtopic.ph...ghlight=&sid=b59f8de4de1850003b79b74558a4b58b)
All responders are volunteers and they are very busy, so please be patient.
Please see http://aumha.net/viewtopic.php?t=4075 and
http://aumha.org/a/quickfix.htm before posting to the forum.

Please post a link back here to your log at AumHa so that we can follow your
progress.

Hope this helps.

Jan
MS MVP - Windows IE/OE [DTS/AumHa]
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

I thought surely someone would have poppeed in by now with the standard
post on dealing with malware. Unfortunately I've lost track of my copy.
I'm cross-posting this to
microsoft.public.windows.inetexplorer.ie6.browser, where someone is sure
to jump in.

Thanks for your inputs, Gary!
Both you and Dave agree on this and I believe that the machine is
infected,
after all.
Any advise?

"about:blank" in the address bar with a page full of links to pages
you've
never been to and have no interest in visiting is characteristic of a
class of browser hijackers. You're almost certainly infected or are
seeing the remains of an infection.


?I find it very difficult to believe that the machine is infected.
The usage
of it has been very limited.
Just one time I was on the Internet trying to compare the speed of
PeoplePc
vs AOL's while logging on the site of a local Bank and bringing up
various
pages!
Incidentally, unlike the machine that I am currently on, which shows
an
empty page, when I click on Internet Explorer (same 6.0), the
infected
machine, displays a page full of names of sites that I can click on,
in spite
of the fact that the address window also shows 'About blank'. Of
course,
clicking on any site will bring a page saying that it's not available
offline.
At any rate, I will need time to sort this out and try to understand
the
solutions offered by the sites you
suggested.
Thank you!




:

Your machine is infected.

http://www.sophos.com/virusinfo/analyses/w32sdbotxh.html

http://www.symantec.com/avcenter/venc/data/trojan.startpage.html

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| ?Dave, this is what I got:
| [Startup Programs]
|
| Program Command User Name
| windesktop c:\winnt\system32\windesktop.exe .DEFAULT
| Location
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
| windesktop c:\winnt\system32\windesktop.exe All Users
| Location HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
| sp rundll32 c:\docume~1\bernar~1\locals~1\temp\se.dll,dllinstall
All
| Users
| Location HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
| Synchronization Manager mobsync.exe /logon All Users
| Location HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
| Incidentally, the options for Edit|Select All and Edit|Copy were
not
present
| on the screen Display. The only option available was to Save the
Contents
in
| a File. No problem.
|
| Was having hard time lining up the info in a proper sequence.
Hoever, I am
| confident that you can see what you need to see.
| Thanks!
| ********

 

[Gary Smith]

I'm not the original poster, but the message was posted in a Windows 2000
group so I'm assuming that's the relevant version. I agree that
HiJackThis is the best way to go. Another possible approach is to try
Ad-Aware and Spybot Search & Destroy. They may be able to identify the
intruder even if they're not successful in removing it. Given the name,
you may be able to find removal instructions using Google. That's how I
cleaned an infection off my grandson's laptop a couple of months ago.

Hi Gary

You don't mention the version of Windows you are using, which really is a
must when asking for help in the newsgroups, but, try the following as it
may apply
to your OS and see if it helps:

Dealing with Unwanted Spyware and Parasites:
http://mvps.org/winhelp2002/unwanted.htm
Be aware, your Anti-Virus won't detect all types of warez, Trojans, malware,
worms, etc., and neither can other adware or spyware related programs such
as AdAware and SpyBot. They don't have the proper definitions. They must
also be run in Safe Mode with Hidden Files enabled in order to fully scan
all files. Even if you have run such programs and nothing shows up, it does
not mean your system is clean. It takes a series of programs to fully clean
your machine. *Some very aggressive and damaging variants of malware can
replicate themselves repeatedly, or mutate, if not removed properly.*

Also, download and install HiJackThis. This is one of the most important
steps. Follow all instructions carefully. This program should be run in
Normal mode.

How to download and install HiJackThis: Win 98-XP
http://www.download.com/HijackThis/3000-8022_4-10227353.html

Please?. DO NOT post your log HiJackThis log to this newsgroup. DO NOT
delete anything from the list yourself unless you are an experienced user of
this program. It is important that you post your log on one of the
HiJackThis Support Forums below and allow the experts there to analyze it
for you:
AumHa HiJackThis Forum
http://forum.aumha.org/viewforum.p
(http://www.dslreports.com/forum/security)
to allow the experts there to evaluate your log and advise you of any
necessary steps to clean your system.
(Note: You will have to Register before posting on these Forums.
http://aumha.net/profile.php?mode=register
Please follow all pre- posting instructions below carefully to avoid having
your log deleted or ignored.
http://forum.aumha.org/viewtopic.ph...ghlight=&sid=b59f8de4de1850003b79b74558a4b58b)
All responders are volunteers and they are very busy, so please be patient.
Please see http://aumha.net/viewtopic.php?t=4075 and
http://aumha.org/a/quickfix.htm before posting to the forum.

Please post a link back here to your log at AumHa so that we can follow your
progress.

Hope this helps.

Jan
MS MVP - Windows IE/OE [DTS/AumHa]
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

I thought surely someone would have poppeed in by now with the standard
post on dealing with malware. Unfortunately I've lost track of my copy.
I'm cross-posting this to
microsoft.public.windows.inetexplorer.ie6.browser, where someone is sure
to jump in.

Thanks for your inputs, Gary!
Both you and Dave agree on this and I believe that the machine is
infected,
after all.
Any advise?

"Gary Smith" wrote:

"about:blank" in the address bar with a page full of links to pages
you've
never been to and have no interest in visiting is characteristic of a
class of browser hijackers. You're almost certainly infected or are
seeing the remains of an infection.


?I find it very difficult to believe that the machine is infected.
The usage
of it has been very limited.
Just one time I was on the Internet trying to compare the speed of
PeoplePc
vs AOL's while logging on the site of a local Bank and bringing up
various
pages!
Incidentally, unlike the machine that I am currently on, which shows
an
empty page, when I click on Internet Explorer (same 6.0), the
infected
machine, displays a page full of names of sites that I can click on,
in spite
of the fact that the address window also shows 'About blank'. Of
course,
clicking on any site will bring a page saying that it's not available
offline.
At any rate, I will need time to sort this out and try to understand
the
solutions offered by the sites you
suggested.
Thank you!




:

Your machine is infected.

http://www.sophos.com/virusinfo/analyses/w32sdbotxh.html

http://www.symantec.com/avcenter/venc/data/trojan.startpage.html

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| ?Dave, this is what I got:
| [Startup Programs]
|
| Program Command User Name
| windesktop c:\winnt\system32\windesktop.exe .DEFAULT
| Location
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
| windesktop c:\winnt\system32\windesktop.exe All Users
| Location HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
| sp rundll32 c:\docume~1\bernar~1\locals~1\temp\se.dll,dllinstall
All
| Users
| Location HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
| Synchronization Manager mobsync.exe /logon All Users
| Location HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
| Incidentally, the options for Edit|Select All and Edit|Copy were
not
present
| on the screen Display. The only option available was to Save the
Contents
in
| a File. No problem.
|
| Was having hard time lining up the info in a proper sequence.
Hoever, I am
| confident that you can see what you need to see.
| Thanks!
| ********

 

[Dave Patrick]

IIRC this was a new install hence it probably isn't worth spending much time
with these things.

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| I'm not the original poster, but the message was posted in a Windows 2000
| group so I'm assuming that's the relevant version. I agree that
| HiJackThis is the best way to go. Another possible approach is to try
| Ad-Aware and Spybot Search & Destroy. They may be able to identify the
| intruder even if they're not successful in removing it. Given the name,
| you may be able to find removal instructions using Google. That's how I
| cleaned an infection off my grandson's laptop a couple of months ago.

 

[Jan Il]

Hi Gary

I'm not the original poster, but the message was posted in a Windows 2000
group so I'm assuming that's the relevant version. I agree that
HiJackThis is the best way to go. Another possible approach is to try
Ad-Aware and Spybot Search & Destroy. They may be able to identify the
intruder even if they're not successful in removing it. Given the name,
you may be able to find removal instructions using Google. That's how I
cleaned an infection off my grandson's laptop a couple of months ago.

Agreed. And, if you take a peek at the information the "Dealing with
Unwanted..." that I posted you would see that both AdAware and SpyBot are
covered in the information, as are other very important steps in the
instructions. HJT is an additional step to make sure any hidden or residual
scumware is removed that might not be removed or cleaned by the other
processes. The two make a very good initial cleaning process, and is usually
all that is needed for most scumware.


Jan
MS MVP - Windows IE/OE [DTS/AumHa]
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

Hi Gary

You don't mention the version of Windows you are using, which really is a
must when asking for help in the newsgroups, but, try the following as it
may apply
to your OS and see if it helps:

Dealing with Unwanted Spyware and Parasites:
http://mvps.org/winhelp2002/unwanted.htm
Be aware, your Anti-Virus won't detect all types of warez, Trojans,
malware,
worms, etc., and neither can other adware or spyware related programs
such
as AdAware and SpyBot. They don't have the proper definitions. They must
also be run in Safe Mode with Hidden Files enabled in order to fully scan
all files. Even if you have run such programs and nothing shows up, it
does
not mean your system is clean. It takes a series of programs to fully
clean
your machine. *Some very aggressive and damaging variants of malware can
replicate themselves repeatedly, or mutate, if not removed properly.*

Also, download and install HiJackThis. This is one of the most important
steps. Follow all instructions carefully. This program should be run in
Normal mode.

How to download and install HiJackThis: Win 98-XP
http://www.download.com/HijackThis/3000-8022_4-10227353.html

Please?. DO NOT post your log HiJackThis log to this newsgroup. DO NOT
delete anything from the list yourself unless you are an experienced user
of
this program. It is important that you post your log on one of the
HiJackThis Support Forums below and allow the experts there to analyze it
for you:
AumHa HiJackThis Forum
http://forum.aumha.org/viewforum.p
(http://www.dslreports.com/forum/security)
to allow the experts there to evaluate your log and advise you of any
necessary steps to clean your system.
(Note: You will have to Register before posting on these Forums.
http://aumha.net/profile.php?mode=register
Please follow all pre- posting instructions below carefully to avoid
having
your log deleted or ignored.
http://forum.aumha.org/viewtopic.ph...ghlight=&sid=b59f8de4de1850003b79b74558a4b58b)
All responders are volunteers and they are very busy, so please be
patient.
Please see http://aumha.net/viewtopic.php?t=4075 and
http://aumha.org/a/quickfix.htm before posting to the forum.

Please post a link back here to your log at AumHa so that we can follow
your
progress.

Hope this helps.

Jan
MS MVP - Windows IE/OE [DTS/AumHa]
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other
readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

I thought surely someone would have poppeed in by now with the standard
post on dealing with malware. Unfortunately I've lost track of my
copy.
I'm cross-posting this to
microsoft.public.windows.inetexplorer.ie6.browser, where someone is
sure
to jump in.


Thanks for your inputs, Gary!
Both you and Dave agree on this and I believe that the machine is
infected,
after all.
Any advise?

:

"about:blank" in the address bar with a page full of links to pages
you've
never been to and have no interest in visiting is characteristic of
a
class of browser hijackers. You're almost certainly infected or are
seeing the remains of an infection.


?I find it very difficult to believe that the machine is infected.
The usage
of it has been very limited.
Just one time I was on the Internet trying to compare the speed of
PeoplePc
vs AOL's while logging on the site of a local Bank and bringing up
various
pages!
Incidentally, unlike the machine that I am currently on, which
shows
an
empty page, when I click on Internet Explorer (same 6.0), the
infected
machine, displays a page full of names of sites that I can click
on,
in spite
of the fact that the address window also shows 'About blank'. Of
course,
clicking on any site will bring a page saying that it's not
available
offline.
At any rate, I will need time to sort this out and try to
understand
the
solutions offered by the sites you
suggested.
Thank you!




:

Your machine is infected.

http://www.sophos.com/virusinfo/analyses/w32sdbotxh.html

http://www.symantec.com/avcenter/venc/data/trojan.startpage.html

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| ?Dave, this is what I got:
| [Startup Programs]
|
| Program Command User Name
| windesktop c:\winnt\system32\windesktop.exe .DEFAULT
| Location
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
| windesktop c:\winnt\system32\windesktop.exe All Users
| Location HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
| sp rundll32
c:\docume~1\bernar~1\locals~1\temp\se.dll,dllinstall
All
| Users
| Location
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
| Synchronization Manager mobsync.exe /logon All Users
| Location
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
| Incidentally, the options for Edit|Select All and Edit|Copy
were
not
present
| on the screen Display. The only option available was to Save
the
Contents
in
| a File. No problem.
|
| Was having hard time lining up the info in a proper sequence.
Hoever, I am
| confident that you can see what you need to see.
| Thanks!
| ********

 

[Jan Il]

Hi Dave

IIRC this was a new install hence it probably isn't worth spending much
time
with these things.

Not true at all. Even with the firewall and perhaps Antivirus activated,
just a short browsing trip to the Internet before going to Windows Update
for updates and patches can allow the system to become infected.

Jan
MS MVP - Windows IE/OE [DTS/AumHa]
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| I'm not the original poster, but the message was posted in a Windows
2000
| group so I'm assuming that's the relevant version. I agree that
| HiJackThis is the best way to go. Another possible approach is to try
| Ad-Aware and Spybot Search & Destroy. They may be able to identify the
| intruder even if they're not successful in removing it. Given the name,
| you may be able to find removal instructions using Google. That's how I
| cleaned an infection off my grandson's laptop a couple of months ago.

 

[Dave Patrick]

You mis-read my reply. Here's the rest of the thread.

http://www.microsoft.com/communitie...a44207-bfe8-4e1f-be10-e627e8e6eab7&sloc=en-us

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Hi Dave
| Not true at all. Even with the firewall and perhaps Antivirus activated,
| just a short browsing trip to the Internet before going to Windows Update
| for updates and patches can allow the system to become infected.
|
| Jan
| MS MVP - Windows IE/OE [DTS/AumHa]
| Smiles are meant to be shared,
| that's why they're so contagious.
|
| Replies are posted only to the newsgroup for the benefit or other readers.
| How to make a good newsgroup post:
| http://www.dts-l.org/goodpost.htm

 

[Jan Il]

You mis-read my reply. Here's the rest of the thread.

http://www.microsoft.com/communitie...a44207-bfe8-4e1f-be10-e627e8e6eab7&sloc=en-us

Thanks for the link. But, why should BAP not want to bother with such
things? If he can clean the system instead of having to do a whole wipe and
reinstall, why not? That seems rather extreme.

Jan
MS MVP - Windows IE/OE [DTS/AumHa]
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Hi Dave
| Not true at all. Even with the firewall and perhaps Antivirus
activated,
| just a short browsing trip to the Internet before going to Windows
Update
| for updates and patches can allow the system to become infected.
|
| Jan
| MS MVP - Windows IE/OE [DTS/AumHa]
| Smiles are meant to be shared,
| that's why they're so contagious.
|
| Replies are posted only to the newsgroup for the benefit or other
readers.
| How to make a good newsgroup post:
| http://www.dts-l.org/goodpost.htm

 

[Dave Patrick]

I think the installation was new and given the fact that it is now
virus/spyware ridden I personally wouldn't waste any time with it.

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Thanks for the link. But, why should BAP not want to bother with such
| things? If he can clean the system instead of having to do a whole wipe
and
| reinstall, why not? That seems rather extreme.
|
| Jan
| MS MVP - Windows IE/OE [DTS/AumHa]
| Smiles are meant to be shared,
| that's why they're so contagious.

 

[Guest]

Sorry, Dave, if this is not the proper spot to add additional information. I
really do not know where to enter it. At any rate:

I finally got to download and install AVG, Spybot, Ad_Aware and JijackThis.
SpyBot is not functional, yet. Something else is needed for it to run. AVG
is functional. Incidentally, for 'who knows what reason', the annoying pop-up
had misteriously quit popping up before any of the Antivirus Software was
installed.

Currently, during Bootup, the first pop up display shows:
Error Loading C:\Docume~1\(User-name)\Locals~1\Temp\|se.dll Access is
denied.
Then, shortly after that,
Virus Detected, while opening ............same as above, but without the
‘Access is denied’.
I navigated to that Folder and started pointing at each entry, displayed in
a details fashion.
Several more appeared to be affected, namely:
deig.exe, gmhg.exe, ieie.exe, nhbg.exe, ilpo.exe and oigg.exe.
The se.dll is shown as Trojan Horse StartPage.19.J
The next 3, deig.exe, gmhg.exe, ieie.exe, as Virus found Downloader.Tibs
The last 3, nhbg.exe, ilpo.exe and oigg.exe, as Virus found Klone.
I allowed the Folder to be checked by AVG and it came up with the seven
infected items, as shown above.

At this point I am not sure of what can or should be done or if permissions
are in place to do anything.
Should any activity be done in Safe Mode?
Thank you or anyone who might want to help!
******

 

[Dave Patrick]

If the machine is networked you can usually pick most of these off while the
affected machine is logged off from another pc. Might take you an hour or so
to get them all though. These things recreate themselves (usually at logon)
with a different name for the EXE each time. Personally I'd start a clean
installation.

To do a clean install, either boot the Windows 2000 install CD-Rom or setup
disks. The set of four install disks can be created from your Windows 2000
CD-Rom; change to the \bootdisk directory on the CD-Rom and execute
makeboot.exe (from dos) or makebt32.exe (from 32 bit) and follow the
prompts.

Setup inspects your computer's hardware configuration and then begins to
install the Setup and driver files. When the Windows 2000 Professional
screen appears, press ENTER to set up Windows 2000 Professional.

Read the license agreement, and then press the F8 key to accept the terms of
the license agreement and continue the installation.

When the Windows 2000 Professional Setup screen appears, all the existing
partitions and the unpartitioned spaces are listed for each physical hard
disk. Use the ARROW keys to select the partitions Press D to delete an
existing partition, If you press D to delete an existing partition, you must
then press L (or press ENTER, and then press L if it is the System
partition) to confirm that you want to delete the partition. Repeat this
step for each of the existing partitions When all the partitions are deleted
press F3 to exit setup, (to avoid unexpected drive letter assignments with
your new install) then restart the pc then when you get to this point in
setup again select the unpartitioned space, and then press C to create a new
partition and specify the size (if required). Windows will by default use
all available space.

Be sure to apply these to your new install before connecting to any network
(internet included).

http://download.microsoft.com/download/E/6/A/E6A04295-D2A8-40D0-A0C5-241BFECD095E/W2KSP4_EN.EXE
http://www.microsoft.com/technet/security/bulletin/MS03-043.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

Then

Rollup 1 for Microsoft Windows 2000 Service Pack 4
http://www.microsoft.com/downloads/...CF-8850-4531-B52B-BF28B324C662&displaylang=en

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Sorry, Dave, if this is not the proper spot to add additional information.
I
| really do not know where to enter it. At any rate:
|
| ?I finally got to download and install AVG, Spybot, Ad_Aware and
JijackThis.
| SpyBot is not functional, yet. Something else is needed for it to run.
AVG
| is functional. Incidentally, for 'who knows what reason', the annoying
pop-up
| had misteriously quit popping up before any of the Antivirus Software was
| installed.
|
| Currently, during Bootup, the first pop up display shows:
| Error Loading C:\Docume~1\(User-name)\Locals~1\Temp\|se.dll Access is
| denied.
| Then, shortly after that,
| Virus Detected, while opening ............same as above, but without the
| 'Access is denied'.
| I navigated to that Folder and started pointing at each entry, displayed
in
| a details fashion.
| Several more appeared to be affected, namely:
| deig.exe, gmhg.exe, ieie.exe, nhbg.exe, ilpo.exe and oigg.exe.
| The se.dll is shown as Trojan Horse StartPage.19.J
| The next 3, deig.exe, gmhg.exe, ieie.exe, as Virus found Downloader.Tibs
| The last 3, nhbg.exe, ilpo.exe and oigg.exe, as Virus found Klone.
| I allowed the Folder to be checked by AVG and it came up with the seven
| infected items, as shown above.
|
| At this point I am not sure of what can or should be done or if
permissions
| are in place to do anything.
| Should any activity be done in Safe Mode?
| Thank you or anyone who might want to help!
| ******

 

[Guest]

OUCH!
I did not expect that!
I did all that just a few months ago and lost all the installed Applications
in the process. That was unexpected, unless my process of doing it might have
been incorrect.
The machine is a stand-alone unit that I inherited and have been spending
some time on. There were no original CDs for some of the lost Applications.
From your comments, I gather that the downloaded Anti-virus Software will
not do me much good, at this time.
Back to the drawing board!

Thanks!

If the machine is networked you can usually pick most of these off while the
affected machine is logged off from another pc. Might take you an hour or so
to get them all though. These things recreate themselves (usually at logon)
with a different name for the EXE each time. Personally I'd start a clean
installation.

To do a clean install, either boot the Windows 2000 install CD-Rom or setup
disks. The set of four install disks can be created from your Windows 2000
CD-Rom; change to the \bootdisk directory on the CD-Rom and execute
makeboot.exe (from dos) or makebt32.exe (from 32 bit) and follow the
prompts.

Setup inspects your computer's hardware configuration and then begins to
install the Setup and driver files. When the Windows 2000 Professional
screen appears, press ENTER to set up Windows 2000 Professional.

Read the license agreement, and then press the F8 key to accept the terms of
the license agreement and continue the installation.

When the Windows 2000 Professional Setup screen appears, all the existing
partitions and the unpartitioned spaces are listed for each physical hard
disk. Use the ARROW keys to select the partitions Press D to delete an
existing partition, If you press D to delete an existing partition, you must
then press L (or press ENTER, and then press L if it is the System
partition) to confirm that you want to delete the partition. Repeat this
step for each of the existing partitions When all the partitions are deleted
press F3 to exit setup, (to avoid unexpected drive letter assignments with
your new install) then restart the pc then when you get to this point in
setup again select the unpartitioned space, and then press C to create a new
partition and specify the size (if required). Windows will by default use
all available space.

Be sure to apply these to your new install before connecting to any network
(internet included).

http://download.microsoft.com/download/E/6/A/E6A04295-D2A8-40D0-A0C5-241BFECD095E/W2KSP4_EN.EXE
http://www.microsoft.com/technet/security/bulletin/MS03-043.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

Then

Rollup 1 for Microsoft Windows 2000 Service Pack 4
http://www.microsoft.com/downloads/...CF-8850-4531-B52B-BF28B324C662&displaylang=en

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Sorry, Dave, if this is not the proper spot to add additional information.
I
| really do not know where to enter it. At any rate:
|
| ?I finally got to download and install AVG, Spybot, Ad_Aware and
JijackThis.
| SpyBot is not functional, yet. Something else is needed for it to run.
AVG
| is functional. Incidentally, for 'who knows what reason', the annoying
pop-up
| had misteriously quit popping up before any of the Antivirus Software was
| installed.
|
| Currently, during Bootup, the first pop up display shows:
| Error Loading C:\Docume~1\(User-name)\Locals~1\Temp\|se.dll Access is
| denied.
| Then, shortly after that,
| Virus Detected, while opening ............same as above, but without the
| 'Access is denied'.
| I navigated to that Folder and started pointing at each entry, displayed
in
| a details fashion.
| Several more appeared to be affected, namely:
| deig.exe, gmhg.exe, ieie.exe, nhbg.exe, ilpo.exe and oigg.exe.
| The se.dll is shown as Trojan Horse StartPage.19.J
| The next 3, deig.exe, gmhg.exe, ieie.exe, as Virus found Downloader.Tibs
| The last 3, nhbg.exe, ilpo.exe and oigg.exe, as Virus found Klone.
| I allowed the Folder to be checked by AVG and it came up with the seven
| infected items, as shown above.
|
| At this point I am not sure of what can or should be done or if
permissions
| are in place to do anything.
| Should any activity be done in Safe Mode?
| Thank you or anyone who might want to help!
| ******

 

[Dave Patrick]

As I said it's possible to clean. It just wouldn't be my preference.

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| OUCH!
| I did not expect that!
| I did all that just a few months ago and lost all the installed
Applications
| in the process. That was unexpected, unless my process of doing it might
have
| been incorrect.
| The machine is a stand-alone unit that I inherited and have been spending
| some time on. There were no original CDs for some of the lost
Applications.
| From your comments, I gather that the downloaded Anti-virus Software will
| not do me much good, at this time.
| Back to the drawing board!
|
| Thanks!

 

[Guest]

Thank you, Dave!
Will try to build up some courage and get something done!

 

[Dave Patrick]

You're welcome.

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Thank you, Dave!
| Will try to build up some courage and get something done!